Archive

Remotely Triggered Black Hole method usualy used to dealing with the DDoS Attack that have specific destination. When we combine it with the Unicast Reverse Path Forwarding (RPF) feature, we can drop every DoS attack based on the source IP.

Here are the lab scenario to simulate that method (we are using Cisco routers):

To simulate the attacker, we are using loopback interface on router INET. INET has 2 connection to the AS 65000 (The Service Provider). In this scenario, we are prefering GW1 as the primary path for outgoing traffic to the Service Provider Network. Here are the relevant configuration from INET:

For the Service Provider network, we are using 4 router, they are GW1, GW2, RR and PE-1. RR act as Route-Reflector for all the rest routers and as the trigger router. They use OSPF for IGP and BGP AS 65000. We are using BGP too to triggered router GW1 and GW2 to blackholing the attacker traffic.

Here are the relevant configuration for all of Service Provider routers:

After all BGP speaker in the Service Provider network have form adjancency, now on the GW1 and GW2 we create the IP next-hop for every DoS source, so we can manipulate it and forward it to dropped at Null interface. Usualy we use the non-allocated IP Address, for example 192.0.2.0/24 (Test-Net).

Note that we attached community no-export to the 192.0.2.1/32 route, in order to prevent the Service Provider routers advertise it to neighbor AS.

After that, still in GW1 and GW2, we add Unicast RPF feature in the edge interfaces. In this scenario, we use “ip verify unicast source reachable-via any” command, in order to detect the incoming traffic based on the source Address, and because we have 2 gateway router (so the incoming and outgoing traffic can be assymetric or not must using the same edge interface).

Now, let we assume that host 100.100.1.1 has send the DoS attack to the whatever host at the AS-65000 customer network. So, we want to drop every traffic that coming from host 100.100.1.1.

In RR (that act as a Black Hole Trigger router), we add the static IP route for 100.100.1.1/32 using tag 99, then RR will send the route via BGP with IP next-hop 192.0.2.1/32 that reside in the router GW1 and GW2.

In the gateway router (in this case is GW1 because it is prefered by INET router), the incoming source ip packet is checked by Unicast RPF feature. It is check the reverse path/route to the source IP (in this case is 100.100.1.1/32) in the routing table. Because in the routing table the next-hop of the 100.100.1.1/32 is null0 interface, then the packet is dropped.

So, after the Blackhole route triggered, the DoS traffic is dropped in the gateway router before reach the customer. It is more effective than using Access-List method that more CPU extensive.

About Me …

Irwan Piesessa, born in Jakarta 27 years ago. passing CCIE Routing and Switching ( #20298 ) certification just now in the early of 2008. Want to be a specialist in Service Provider Technology and Network Security Field...